analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sda.zip

Full analysis: https://app.any.run/tasks/113b816d-aeeb-4bd3-b53b-5e92edec20b4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 12, 2022, 17:39:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

533F7E6EA1052A408026137FBB183E42

SHA1:

3FB462EDC6F389D24402CF329E9ABBA5B4F6936E

SHA256:

F71C62FFB74037C2F2591C4D78AF5A0557C0D4209AFC0FD03EF9FF2B8820F07D

SSDEEP:

1536:VlxFp1J7b2EPUmdHNk0KrHZpGy/xuEVtcEKyPEra:B1RPKpHvGypTKxm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2888)

    • Drops executable file immediately after starts

      • WINWORD.EXE (PID: 2888)

    • Application was dropped or rewritten from another process

      • adobmngr.exe (PID: 3608)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 1716)
      • adobmngr.exe (PID: 3608)

    • Checks supported languages

      • WinRAR.exe (PID: 1716)
      • adobmngr.exe (PID: 3608)

    • Drops a file with a compile date too recent

      • WINWORD.EXE (PID: 2888)

    • Reads Environment values

      • adobmngr.exe (PID: 3608)

  • INFO

    • Checks supported languages

      • WINWORD.EXE (PID: 2888)

    • Manual execution by user

      • WINWORD.EXE (PID: 2888)

    • Reads the computer name

      • WINWORD.EXE (PID: 2888)

    • Reads settings of System Certificates

      • adobmngr.exe (PID: 3608)

    • Searches for installed software

      • WINWORD.EXE (PID: 2888)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2022:08:12 19:38:01
ZipCRC: 0xe33dc48b
ZipCompressedSize: 70303
ZipUncompressedSize: 86339
ZipFileName: test.docx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe adobmngr.exe

Process information

PID
CMD
Path
Indicators
Parent process
1716"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sda.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2888"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\test.docx"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3608"C:\Users\admin\Desktop\adobmngr.exe" C:\Users\admin\Desktop\adobmngr.exe
WINWORD.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Windows.UI.Xaml.Media.Animatione
Exit code:
3762504530
Version:
1.0.0.0
Total events
7 743
Read events
6 958
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
11
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF1A4.tmp.cvr
MD5:
SHA256:
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9C2077A4-0EF3-41AB-B6C8-2A3BE936FD3C}.FSDbinary
MD5:20740702D3B19466E074E323771CB746
SHA256:EA6BB46CBA7B215A3367833AE301A79F1131BA17BE798AD801A57DA02D4BDD21
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B3AB20F.dotmdocument
MD5:B034141A993BC39C86A0242508666C42
SHA256:411396D3582334E4FF98763769BF2E05A6A978AF2E1BF0AADABDE5E21EAB4E42
2888WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\20.7.43.70.urltext
MD5:4F28D246CA7882F66AFC6F19CC4FFC94
SHA256:187205E4AC3848447815A84C4341C50B096DEFD5C32BB9BE4377E53AB3B1CA7E
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A0E8AFFC-A0E6-4156-B804-DD7CF82CF1B4}.FSDbinary
MD5:96ACCC51A25E09760CCE7E64FC6219A5
SHA256:48119E617C742D72A156C23CAD59B8B72976F8D6656D192C20DF3C2087715587
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDbinary
MD5:3CEC8B00663622E1B22E7C67F85DCBB5
SHA256:59B0824DB747F2D8296AFC9FA647AB4089DF4D732EA0D35A0D9CF85D6CC882E8
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\dBFDi[1].exeexecutable
MD5:4818FE2C4288C163B23AD71A8584B362
SHA256:13DA72B2853452DC11C395692BC8C5E2071985B1463E84786AB40630EB851881
2888WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\dBFDi.dotm.urltext
MD5:E9AEA8C0D1619EB9530C6BA7FA9525CD
SHA256:44C637C01FE63B708317E0919BAACA8D96E8F911256E21C16E8CE78BA3CB57FD
2888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:4C2E3258F90629AD8E94DDC797462CB0
SHA256:6867D1F1F0B8C06338ACFAFCA6039D5E4E2241907BFAEF4A4E26A8950A2F925C
2888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{BB51E862-BA62-41B2-AD42-9D1C287FDD4A}binary
MD5:3CEC8B00663622E1B22E7C67F85DCBB5
SHA256:59B0824DB747F2D8296AFC9FA647AB4089DF4D732EA0D35A0D9CF85D6CC882E8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
WINWORD.EXE
HEAD
200
20.7.43.70:80
http://20.7.43.70/dBFDi.dotm
US
suspicious
708
svchost.exe
OPTIONS
200
20.7.43.70:80
http://20.7.43.70/
US
suspicious
2888
WINWORD.EXE
OPTIONS
200
20.7.43.70:80
http://20.7.43.70/
US
suspicious
708
svchost.exe
PROPFIND
20.7.43.70:80
http://20.7.43.70/
US
suspicious
2888
WINWORD.EXE
GET
200
20.7.43.70:80
http://20.7.43.70/dBFDi.exe
US
executable
90.5 Kb
suspicious
2888
WINWORD.EXE
GET
200
20.7.43.70:80
http://20.7.43.70/dBFDi.dotm
US
document
19.5 Kb
suspicious
2888
WINWORD.EXE
HEAD
200
20.7.43.70:80
http://20.7.43.70/dBFDi.dotm
US
document
19.5 Kb
suspicious
708
svchost.exe
PROPFIND
405
20.7.43.70:80
http://20.7.43.70/
US
html
1.26 Kb
suspicious
708
svchost.exe
PROPFIND
405
20.7.43.70:80
http://20.7.43.70/
US
html
1.26 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
708
svchost.exe
20.7.43.70:80
US
suspicious
3608
adobmngr.exe
162.159.133.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2888
WINWORD.EXE
20.7.43.70:80
US
suspicious

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.133.233
  • 162.159.134.233
  • 162.159.130.233
  • 162.159.129.233
  • 162.159.135.233
shared
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2888
WINWORD.EXE
A Network Trojan was detected
AV INFO MS OFFICE template injection part1
2888
WINWORD.EXE
Potentially Bad Traffic
ET INFO Doc Requesting Remote Template (.dotm)
2888
WINWORD.EXE
Potentially Bad Traffic
ET INFO Doc Requesting Remote Template (.dot)
2888
WINWORD.EXE
A Network Trojan was detected
AV INFO MS OFFICE template injection part2
2888
WINWORD.EXE
A Network Trojan was detected
AV INFO MS OFFICE template injection part2
2888
WINWORD.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2888
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2888
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2888
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2888
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sda.zip